Sending @debian.org mails from Debian infrastructure

Due to the increasing amount of classic mailservers requiring a proper SPF/DKIM/DMARC setup to accept mails, DSA has set up an SMTP submission server.

The SMTP submission server is hosted on stravinsky.debian.org, on port 587, but it is recommended to use the CNAME mail-submit.debian.org for the submission service.

To send mail via this server, a Debian Member must have set a mailPassword on their account in LDAP. To do so, the only way is to request a new password via the LDAP Mail Gateway.

Change mailPassword

To do so, just send a GPG-signed mail in which the body contains the following sentence: "Please change my mail password" to chpasswd@db.debian.org. Something like echo "Please change my mail password" | gpg --clearsign | mail chpasswd@db.debian.org should do the job if your host knows how to send mail.

You'll receive an encrypted password by mail, and after between a few minutes and an hour, it'll be active on mail-submit.debian.org.

DKIM signature

Any mail sent via mail-submit.debian.org is DKIM-signed. The server adds an X-Debian-User: header that will contain the user whose password was used to authenticate to the server, and this header is covered by the DKIM signature. The signature is made on all mails the server considers it should handle (for now, debian.org, debconf.org and ftp-master.debian.org mails). It doesn't require any specific setup from the end users, except using the appropriate mail address for sending mails.

Client config

server: mail-submit.debian.org port: 587 login: your Debian username (not the mail) password: see upwards encryption: STARTTLS

Postfix as a client config

Thanks to Ganneff for the snippet:

In /etc/postfix/main.cf, make sure you have the following configuration (or adapt it if you already rely on postfix as a client for other stuff)

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_loglevel = 1
smtp_tls_security_level = dane

sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_tls_security_options = noanonymous

Add mail-submit.debian.org as a relayhost when you send from @debian.org. In /etc/postfix/sender_relay:

@debian.org [mail-submit.debian.org]:587

Add the appropriate login/password in /etc/postfix/sasl_passwd:

@debian.org user:password

Run postmap on sender_relay and sasl_passwd, reload postfix, have fun.

For more intel, please read Postfix's client_sasl_sender's doc.

FAQ

Does the mail server check the From: header

No, you can put anything you want, but the X-Debian-User header will make it clear who sent the mail

Is the server an open relay

It's an unrestricted relay, which is different from an open relay.

As soon as you have a Debian Account, and a mail password configured in LDAP, you can send mails from it, even using your own mail domain. That being said, the DKIM signature won't work, and the server is not intended for that usage, so if people abuse it, we'll probably change this behaviour.

Do I need to do any configuration to have DKIM working properly, like I did for the user DKIM feature

No. That being said, if you intend to use mail-submit.debian.org, and you have already configured DKIM signing with your mail client or MTA, your mail will be signed twice and it's possible that one of the signatures will not validate.

This should not cause any issues; see https://datatracker.ietf.org/doc/html/rfc6376#section-4 for more details.